Python yara.compile() Examples
The following are 30
code examples of yara.compile().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
yara
, or try the search function
.
.
Example #1
| Source Project: unipacker Author: unipacker File: shell.py License: GNU General Public License v2.0 | 7 votes |
|
def do_yara(self, args):
"""Run YARA rules against the sample
Usage: yara [<rules_path>]
If no rules file is specified, the default 'malwrsig.yar' is being used.
Those rules are then compiled and checked against the memory dump of the current emulator state (see 'dump' for further
details on this representation)"""
if not args:
if not self.rules:
try:
self.rules = yara.compile(filepath=f"{os.path.dirname(unipacker.__file__)}/malwrsig.yar")
print("Default rules file used: malwrsig.yar")
except:
print(f"{Fore.LIGHTRED_EX}Error: malwrsig.yar not found!{Fore.RESET}")
else:
self.rules = yara.compile(filepath=args)
self.sample.unpacker.dump(self.engine.uc, self.engine.apicall_handler, self.sample)
matches = self.rules.match("unpacked.exe")
print(", ".join(map(str, matches)))
Example #2
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def dotnet_resource_names(self):
"""
Read .NET Resources and return a list of resource names
:return: list
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
resource_list.append(resource['name'])
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return resource_list
Example #3
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def dotnet_resource_by_name(self, resource_name):
"""
Extract a .NET Resource by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if resource['name'] == resource_name:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #4
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def elf_list_sections(self):
"""
Read a list of sections from an elf binary
:return: list of section names
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
section_names = []
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
section_names.append(section['name'].decode('utf-8'))
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return section_names
Example #5
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 6 votes |
|
def elf_section_by_name(self, resource_name):
"""
Extract an elf section by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
if section['name'].decode('utf-8') == resource_name:
offset = section['offset']
length = section['size']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #6
| Source Project: rekall Author: google File: yarascanner.py License: GNU General Public License v2.0 | 6 votes |
|
def __init__(self, *args, **kwargs):
"""Scan using yara signatures."""
super(YaraScanMixin, self).__init__(*args, **kwargs)
# Compile the yara rules in advance.
if self.plugin_args.yara_expression:
self.rules_source = self.plugin_args.yara_expression
self.rules = yara.compile(source=self.rules_source)
elif self.plugin_args.binary_string:
self.compile_rule(
'rule r1 {strings: $a = {%s} condition: $a}' %
self.plugin_args.binary_string)
elif self.plugin_args.string:
self.compile_rule(
'rule r1 {strings: $a = "%s" condition: $a}' %
self.plugin_args.string)
elif self.plugin_args.yara_file:
self.compile_rule(open(self.plugin_args.yara_file).read())
elif not self.ignore_required:
raise plugin.PluginError("You must specify a yara rule file or "
"string to match.")
Example #7
| Source Project: aumfor Author: virtualrealitysystems File: linux_truecrypt.py License: GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #8
| Source Project: aumfor Author: virtualrealitysystems File: poisonivy.py License: GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example #9
| Source Project: ACE Author: IntegralDefense File: pdf-parser.py License: Apache License 2.0 | 6 votes |
|
def YARACompile(ruledata):
if ruledata.startswith('#'):
if ruledata.startswith('#h#'):
rule = binascii.a2b_hex(ruledata[3:])
elif ruledata.startswith('#b#'):
rule = binascii.a2b_base64(ruledata[3:])
elif ruledata.startswith('#s#'):
rule = 'rule string {strings: $a = "%s" ascii wide nocase condition: $a}' % ruledata[3:]
elif ruledata.startswith('#q#'):
rule = ruledata[3:].replace("'", '"')
else:
rule = ruledata[1:]
return yara.compile(source=rule)
else:
dFilepaths = {}
if os.path.isdir(ruledata):
for root, dirs, files in os.walk(ruledata):
for file in files:
filename = os.path.join(root, file)
dFilepaths[filename] = filename
else:
for filename in ProcessAt(ruledata):
dFilepaths[filename] = filename
return yara.compile(filepaths=dFilepaths)
Example #10
| Source Project: idawilli Author: williballenthin File: yara_fn.py License: Apache License 2.0 | 6 votes |
|
def test_yara_rule(rule):
'''
try to match the given rule against each segment in the current exectuable.
raise TestDidntRunError if its not possible to import the YARA library.
return True if there's at least one match, False otherwise.
'''
try:
import yara
except ImportError:
logger.warning("can't test rule: failed to import python-yara")
raise TestDidntRunError('python-yara not available')
r = yara.compile(source=rule)
for segment in get_segments():
matches = r.match(data=segment.buf)
if len(matches) > 0:
logger.info('generated rule matches section: {segment.name}')
return True
return False
Example #11
| Source Project: Python-Digital-Forensics-Cookbook Author: PacktPublishing File: yara_scanner.py License: MIT License | 6 votes |
|
def main(yara_rules, path_to_scan, output):
if os.path.isdir(yara_rules):
yrules = yara.compile(yara_rules)
else:
yrules = yara.compile(filepath=yara_rules)
if os.path.isdir(path_to_scan):
match_info = process_directory(yrules, path_to_scan)
else:
match_info = process_file(yrules, path_to_scan)
columns = ['rule_name', 'hit_value', 'hit_offset', 'file_name',
'rule_string', 'rule_tag']
if output is None:
write_stdout(columns, match_info)
else:
write_csv(output, columns, match_info)
Example #12
| Source Project: ida_haru Author: TakahiroHaruyama File: yara_fn.py License: Apache License 2.0 | 6 votes |
|
def test_yara_rule(rule):
'''
try to match the given rule against each segment in the current exectuable.
raise TestDidntRunError if its not possible to import the YARA library.
return True if there's at least one match, False otherwise.
'''
try:
import yara
except ImportError:
logger.warning("can't test rule: failed to import python-yara")
raise TestDidntRunError('python-yara not available')
r = yara.compile(source=rule)
for segment in get_segments():
if segment.buf is not None:
matches = r.match(data=segment.buf)
if len(matches) > 0:
logger.info('generated rule matches section: {:s}'.format(segment.name))
return True
return False
Example #13
| Source Project: CIRTKit Author: opensourcesec File: rat.py License: MIT License | 6 votes |
|
def auto(self):
if not HAVE_YARA:
self.log('error', "Missing dependency, install yara (see http://plusvic.github.io/yara/)")
return
if not __sessions__.is_set():
self.log('error', "No session opened")
return
rules = yara.compile(os.path.join(CIRTKIT_ROOT, 'data/yara/rats.yara'))
for match in rules.match(__sessions__.current.file.path):
if 'family' in match.meta:
self.log('info', "Automatically detected supported RAT {0}".format(match.rule))
self.get_config(match.meta['family'])
return
self.log('info', "No known RAT detected")
Example #14
| Source Project: SSMA Author: secrary File: check.py License: GNU General Public License v3.0 | 6 votes |
|
def is_malware(filename):
if not os.path.exists("rules_compiled/malware"):
os.mkdir("rules_compiled/malware")
for n in os.listdir("rules/malware/"):
if not os.path.isdir("./" + n):
try:
rule = yara.compile("rules/malware/" + n)
rule.save("rules_compiled/malware/" + n)
rule = yara.load("rules_compiled/malware/" + n)
m = rule.match(filename)
if m:
return m
except:
pass # internal fatal error or warning
else:
pass
# Added by Yang
Example #15
| Source Project: omnibus Author: InQuest File: yara.py License: MIT License | 6 votes |
|
def run(self):
results = {'matches': {}}
all_rules = list_dir(self.rules)
for r in all_rules:
rule = yara.compile(r)
matches = rule.match(data=open(self.artifact['path'], 'rb').read())
for m in matches:
if m.rule not in results['matches'].keys():
results['matches'][m.rule] = []
for tag in m.tags:
if tag not in results['matches'][m.rule]:
results['matches'][m.rule].append(tag)
self.artifact['data']['yara'] = results
Example #16
| Source Project: Cortex-Analyzers Author: TheHive-Project File: yara_analyzer.py License: GNU Affero General Public License v3.0 | 6 votes |
|
def __init__(self):
Analyzer.__init__(self)
self.rulepaths = self.get_param('config.rules', None, 'No paths for rules provided.')
if isinstance(self.rulepaths, str):
self.rulepaths = [self.rulepaths]
self.ruleset = []
for rulepath in self.rulepaths:
if os.path.isfile(rulepath):
if rulepath[len(rulepath)-3:] == 'yar':
self.ruleset.append(yara.compile(rulepath))
elif rulepath[len(rulepath)-3:] == 'yas':
self.ruleset.append(yara.load(rulepath))
elif os.path.isdir(rulepath):
if os.path.isfile(rulepath + '/index.yas'):
self.ruleset.append(yara.load(rulepath + '/index.yas'))
elif os.path.isfile(rulepath + '/index.yar'):
self.ruleset.append(yara.compile(rulepath + '/index.yar'))
Example #17
| Source Project: volatility Author: volatilityfoundation File: linux_truecrypt.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #18
| Source Project: vortessence Author: vortessence File: linux_truecrypt.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #19
| Source Project: vortessence Author: vortessence File: poisonivy.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example #20
| Source Project: binaryalert Author: airbnb File: compile_rules.py License: Apache License 2.0 | 6 votes |
|
def compile_rules(target_path: str) -> None:
"""Compile YARA rules into a single binary rules file.
Args:
target_path: Where to save the compiled rules file.
"""
# Each rule file must be keyed by an identifying "namespace"; in our case the relative path.
yara_filepaths = {relative_path: os.path.join(RULES_DIR, relative_path)
for relative_path in _find_yara_files()}
# Compile all available YARA rules. Note that external variables are defined but not set;
# these will be set at runtime by the lambda function during rule matching.
rules = yara.compile(
filepaths=yara_filepaths,
externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
rules.save(target_path)
Example #21
| Source Project: binaryalert Author: airbnb File: yara_mocks.py License: Apache License 2.0 | 6 votes |
|
def save_test_yara_rules(rules_save_file: str, empty_rules_file: bool = False):
"""Save compiled test YARA rules to the filesystem, which should already be mocked.
Args:
rules_save_file: Path to rules save file.
empty_rules_file: If true, writes an empty rules file.
"""
if empty_rules_file:
sources = {'empty.yar': ''}
else:
sources = {'evil_check.yar': EVIL_STRING_RULE, 'externals.yar': RULES_WITH_VARIABLES}
# Compile YARA rules and save them as an in-memory binary string.
rules = yara.compile(
sources=sources,
externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
rule_data = io.BytesIO()
rules.save(file=rule_data)
rule_data.seek(0)
# Save the files to the mock filesysytem.
with open(rules_save_file, 'wb') as file:
file.write(rule_data.read())
Example #22
| Source Project: DAMM Author: 504ensicsLabs File: linux_truecrypt.py License: GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #23
| Source Project: PeekabooAV Author: scVENUS File: peekabooyar.py License: GNU General Public License v3.0 | 6 votes |
|
def evaluate(self, s):
rules = yara.compile(
source='''
rule peekabooyar
{
strings:
$peekabooyar1 = "X5O!P%@AP-/_(:)_/-X22x8cz2$PeekabooAV-STD-ANTIVIRUS-TEST-FILE!$H+H*"
condition:
$peekabooyar1
}'''
)
# FIXME: Only user of file_path. Remove?
with open(s.file_path, 'rb') as sample_file:
matches = rules.match(data=sample_file.read())
if matches != []:
return self.result(Result.bad,
"Die Datei beinhaltet Peekabooyar",
False)
return self.result(Result.unknown,
"Die Datei beinhaltet kein erkennbares Peekabooyar",
True)
Example #24
| Source Project: RATDecoders Author: kevthehermit File: test_yara.py License: MIT License | 5 votes |
|
def test_yara_pe():
yara.compile(source='import "pe" rule a { condition: false }')
Example #25
| Source Project: RATDecoders Author: kevthehermit File: test_yara.py License: MIT License | 5 votes |
|
def test_yara_dotnet():
yara.compile(source='import "dotnet" rule a { condition: false }')
Example #26
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def pe_resource_id(self, res_id):
"""
Read resource by its ID. Useful where normal pe file fails.
:return: list
"""
try:
rules = yara.compile(source='import "pe" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if 'id' in resource:
if resource['id'] == res_id:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
elif 'name_string' in resource:
# Remove null bytes for a better comparison
res_name = resource['name_string'].decode('UTF-8').replace('\x00', '')
# Check both unicode and plain str versions of name
if res_name == res_id or resource['name_string'] == res_id:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #27
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def dotnet_user_strings(self):
"""
Parse a list of User Strings from a .NET Binary file
:return: list of strings
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
user_strings = []
def modules_callback(data):
for i, userstring in enumerate(data.get('user_strings', [])):
# Remove null bytes
userstring = userstring.replace(b'\x00', b'')
# Add string to list
try:
user_strings.append(userstring.decode('utf-8'))
except UnicodeDecodeError:
pass
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return user_strings
Example #28
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def ascii_strings(self, min_len=4):
"""
parse a list of ascii strings from a binary file
:return:
"""
string_list = []
chars = b" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
regexp = b'[%s]{%d,}' % (chars, min_len)
pattern = re.compile(regexp)
for s in pattern.finditer(self.file_data):
string_list.append(s.group())
return string_list
Example #29
| Source Project: RATDecoders Author: kevthehermit File: fileparser.py License: MIT License | 5 votes |
|
def unicode_strings(self, min_len=4):
string_list = []
chars = r" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
regexp = b'((?:[%s]\x00){%d,})' % (chars, min_len)
pattern = re.compile(regexp)
for s in pattern.finditer(self.file_data):
string_list.append(s.group())
Example #30
| Source Project: RATDecoders Author: kevthehermit File: netwire.py License: MIT License | 5 votes |
|
def yara_scan(self, raw_data, rule_name):
yara_data = []
yara_rules = yara.compile(source=rule_source)
matches = yara_rules.match(data=raw_data)
for match in matches:
if match.rule == 'opcodes':
for item in match.strings:
if item[1] == rule_name:
data = item[2]
yara_data.append(data)
return yara_data
